# OpenConnect integration for systemd-networkd

Helper files to integrate OpenConnect with **systemd-networkd** to simplify VPN setup and use in complex scenarios.

## Setup

In case of non-interactive OpenConnect authentication (using certificates only for instance) the setup is rather trivial. Some organisations unfortunately require entering one-time codes generated with a hardware token without an interface to request it programmatically. This setup tries to accommodate as much as possible for such meaninglessly inconvenient scenario.

By default `opcon-script.sh` is used for setting up routes and IP settings. It received limited testing so far: if it doesn't work for you - revert to using OpenConnect's bash spagetti by removing `-s opcon-script.sh` option from **opcon.service** file. Contributions are welcome.

### Requirements

In addition to OpenConnect itself, `dos2unix` and `expect` utilities are required.

## Usage

After placing files accordingly, make sure to restart **systemd-networkd** (`sudo systemctl restart systemd-networkd`) and reload **systemd** configuration (`sudo systemctl daemon-reload`).

The setup is split into interactive and automated part.

### Interactive part

* adjust `opcon.sh` wrapper script as necessary for the particular requirements from your organisation for your account
* run `opcon.expect` which will request password and PIN interactively and save required variables to */tmp/openconnect* file

There're different ways to combine long-term password with one-time PIN - you might want to adjust `opcon.expect` to better match your organisation's setup.

**N. B:** using this on a machine with several users and shared */tmp* is insecure for obvious reasons. Adjust accordingly.

Once OpenConnect [issue](https://gitlab.com/openconnect/openconnect/-/issues/522) is fixed, the `opcon.expect` can be dropped and `opcon.sh` can be used directly.

### Automated part

Run `sudo systemctl start opcon` to get your VPN up and running.

Depending on your organisation's settings the session cookie might periodically expire which will force you to repeat interactive part and start opcon service again.

# License

[GNU Lesser General Public License v3.0](https://www.gnu.org/licenses/lgpl-3.0.html) or later.

# Final notes

Using proprietary solutions for VPN is unsafe, expensive and insecure by definition. Organisations are advised to migrate to Libre Software with a history of independent public security audit like [Wireguard](https://www.wireguard.com/).